Oxford Health NHS 
Foundation Trust 


Executive summary 


Audit Methodology 


The Information Commissioner is responsible for enforcing and promoting compliance with the UK General Data 
Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA18) and other data protection legislation. 
Section 146 of the DPA18 provides the Information Commissioner's Office (ICO) with the power to conduct 
compulsory audits through the issue of assessment notices. Section 129 of the DPA18 allows the ICO to carry out 
consensual audits. 


The ICO is an independent, proportionate regulator and sees auditing as a constructive process with real benefits 
for controllers and so aims to establish a participative approach. High standards of personal data protection 
compliance help organisations innovate and deliver great services by building trust with the public. The ICO's 
expertise and consistent approach to regulation provides certainty enabling organisations to feel confident to use 
personal data responsibly, innovate and support economic growth. 


This audit was conducted consensually as part of the ICO's routine audit programme. 


The purpose of the audit is to provide the Information Commissioner and Oxford Health NHS Foundation Trust (the 
Trust) with an independent assurance of the extent to which the Trust, within the scope of this agreed audit, is 
complying with data protection legislation. 


The scope areas covered by this audit are determined following a risk based analysis of the Trust processing of 
personal data. The scope may take into account any data protection issues or risks which are specific to the Trust, 
identified from ICO intelligence or the Trust's own concerns, and/or any data protection issues or risks which affect 
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their specific sector or organisations more widely. The ICO has further tailored the controls covered in each scope 
area to take into account the organisational structure of the Trust the nature and extent of the Trust's processing 
of personal data, and to avoid duplication across scope areas. As such, the scope ofthis audit is unigue to the 
Trust. 


It was agreed that the audit would focus on the following areas 


Scope area Description 


The extent to which information governance accountability, policies and 
Governance & procedures, performance measurement controls, and reporting mechanisms to 
Accountability monitor data protection compliance to both the UKGDPR and national data 
protection legislation are in place and in operation throughout the organisation. 


The design and operation of controls to ensure the sharing of personal data 


D hari 
ata Sharing complies with the principles of all data protection legislation. 


Audits are conducted following the Information Commissioner’s data protection audit methodology. The key 
elements of this are normally a desk-based review of selected policies and procedures, on-site visits including 
interviews with selected staff, and an inspection of selected records. 


However, due to the outbreak of Covid -19, and the resulting restrictions on travel, this methodology was no 
longer appropriate. Therefore the Trust agreed to continue with the audit on a remote basis. A desk based review 
of selected policies and procedures and remote telephone interviews were conducted from 26 October 2021 to 29 
October 2021. The ICO would like to thank the Trust for its flexibility and commitment to the audit during difficult 
and challenging circumstances. 


Where weaknesses were identified recommendations have been made, primarily around enhancing existing 
processes to facilitate compliance with data protection legislation. In order to assist the Trust in implementing the 
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recommendations each has been assigned a priority rating based upon the risks that they are intended to address. 


The ratings are assigned based upon the ICO's assessment ofthe risks involved. The Trust priorities and risk 
appetite may vary and, therefore, they should undertake their own assessments ofthe risks identified. 


Audit Summary 


There is a reasonable level of assurance that processes and 
procedures are in place and are delivering data protection 


Governance & compliance. The audit has identified some scope for 


Accountability 


compliance with data protection legislation. 


improvement in existing arrangements to reduce the risk of non- 


There is a reasonable level of assurance that processes and 
procedures are in place and are delivering data protection 
Data Sharing compliance. The audit has identified some scope for 


compliance with data protection legislation. 


improvement in existing arrangements to reduce the risk of non- 
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Priority Recommendations 


Breakdown by Scope of Priority Recommendations 


= Low 
= Medium 
m High 


m Urgent 


Governance & Accountability Data Sharing 


The bar chart above shows a breakdown by scope area of the priorities assigned to our recommendations made: 


e Governance & Accountability scope has 3 urgent, 7 high, 12 medium and 1 low priority recommendations 
e Data Sharing scope has 0 urgent, 7 high, 5 medium and 0 low priority recommendations 
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Graphs and Charts 


Governance & Accountability 
Assurance rating summary 


= High 


= Reasonable 


= Limited 


= Very Limited 


The pie chart above shows a summary of the assurance ratings awarded in the Governance & Accountability 
scope. 41% high assurance, 39% reasonable assurance, 5% limited assurance, 15% very limited assurance. 
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Data Sharing 
Assurance Rating Summary 


6% 


m High 


= Reasonabl 
e 


= Limited 


m Very 
Limited 


The pie chart above shows a summary of the assurance ratings awarded in the Data Sharing scope. 29% high 
assurance, 24% reasonable assurance, 35% limited assurance, 12% very limited assurance. 
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Areas for Improvement 


Governance 8 Accountability: 


The Trust's Records of Processing Activity (RoPA) reguires improvement. The evidence provided by the Trust was more 
of a data flow map and therefore is not fully in line with the reguirements of Article 30 of the UKGDPR. The 
reguirements include having a record of the name and contact details of the data controller, description of the 
categories of individuals and recipients of personal data, retention schedules and a description of the technological and 
organisational security measures in place at the Trust. 

The Trust has a Data Protection Officer (DPO) in place who also holds other positions and responsibilities. The Trust 
needs to consider if these additional roles and responsibilities pose a conflict of interests for the DPO or a demand on 
the DPO's time, which could impact on their duties as DPO. 


Data sharing: 


There is no Information Sharing Agreement (ISA) log to record vital information pertaining to current ISAs which the 
Trust are party to and to maintain a record of the undertaking and outcome of periodic reviews of existing ISA. 

There is a lack of specialised training for staff with data sharing roles and those that deal with children's data. 
There is no dedicated Information Sharing policy or procedure to provide guidance on ad hoc disclosures as well as the 
assurances that all ISAs include UKGDPR reguirements, such as effective incident management procedures. 
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Disclaimer 


The matters arising in this report are only those that came to our attention during the course of the audit and are not 
necessarily a comprehensive statement of all the areas reguiring improvement. 


The responsibility for ensuring that there are adeguate risk management, governance and internal control arrangements in 
place rest with the management of the Trust. 


We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person 
or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in 
connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss 
occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any 
information contained in this report. 


This report is an exception report and is solely for the use of the Trust. The scope areas and controls covered by the audit 
have been tailored to the Trust and, as a result, the audit report is not intended to be used in comparison with other ICO 
audit reports. 
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